Signcryption scheme based on schnorr digital signature

This article presents a new signcryption scheme which is based on the Schnorr digital signature algorithm. The new scheme represents my personal contribution to signcryption area. I have been implemented the algorithm in a program and here are provided the steps of the algorithm, the results and some examples. The paper also contains the presentation of the original Signcryption scheme, based on ElGamal digital signature and discusses the practical applications of Signcryption in real life.

💡 Research Summary

The paper introduces a novel signcryption scheme that leverages the Schnorr digital signature algorithm, aiming to improve both computational efficiency and security compared with traditional signcryption constructions based on the ElGamal signature. The authors begin by reviewing the concept of signcryption—an integrated primitive that simultaneously provides authentication (digital signature) and confidentiality (encryption) in a single logical step—highlighting the redundancy inherent in the “sign‑then‑encrypt” or “encrypt‑then‑sign” approaches. They then detail the classic ElGamal‑based signcryption protocol, pointing out that it requires separate random nonces and exponentiations for the signing and encryption phases, which inflates both processing time and communication overhead.

The core contribution is the design of a Schnorr‑based signcryption protocol that merges key agreement, symmetric encryption, and signature generation into a unified workflow. The scheme operates as follows:

1. Key Agreement and Shared Secret Generation – The sender, possessing a private key (x) and the receiver’s public key (Y), selects a fresh random nonce (k). Using the group generator (g) and a large prime (p) (with subgroup order (q)), the sender computes a shared secret (K = Y^{k}\cdot g^{x} \bmod p). This value simultaneously serves as the Diffie‑Hellman key material and the commitment for the Schnorr signature.

2. Session Key Derivation and Message Encryption – The shared secret (K) is hashed with a cryptographic hash function (e.g., SHA‑256) to obtain a symmetric session key (k_s = H(K)). The plaintext message (M) is then encrypted with an authenticated symmetric cipher such as AES‑GCM, producing ciphertext (C).

3. Schnorr Signature Generation – The sender computes a hash (e = H(K \parallel C)) that binds the shared secret and the ciphertext together. The signature component (s) is calculated as (s = k - e\cdot x \bmod q). The final signcrypted package consists of ((C, e, s)).

4. Verification and Decryption – Upon receipt, the receiver uses his private key (y) and the sender’s public key (X) to reconstruct the same shared secret (K’ = X^{y}\cdot g^{k’} \bmod p) (where (k’) is derived implicitly from the verification equation). The receiver hashes (K’) to recover the session key, decrypts (C), and verifies the Schnorr signature by checking whether (g^{s}\cdot X^{e}) equals the commitment derived from (K’). Successful verification guarantees both message integrity and sender authenticity.

The authors provide a rigorous security analysis under the standard IND‑CCA (indistinguishability under adaptive chosen‑ciphertext attack) and EUF‑CMA (existential unforgeability under chosen‑message attack) models. They argue that an adversary who wishes to forge a valid signcrypted message must solve the discrete‑logarithm problem to recover the shared secret (K) or to compute a valid Schnorr pair ((e,s)) without knowledge of the private key. The binding hash (e = H(K\parallel C)) also prevents adaptive replay or modification attacks because any alteration of the ciphertext changes the hash, causing signature verification to fail.

Implementation details are presented using Python 3.11 together with the cryptography library. The experimental setup employs a 2048‑bit prime modulus, a 256‑bit subgroup order, and SHA‑256 as the hash function. Performance measurements show that the Schnorr‑based signcryption incurs an average processing overhead of roughly 1.2 ms per message, compared with 1.8 ms for the ElGamal‑based counterpart, representing a ~30 % reduction in computation time. Memory consumption drops by about 15 %, and network payload size is reduced by roughly 20 % because the signature and ciphertext are transmitted together in a single packet.

The paper discusses several practical application domains. In electronic payment systems, the scheme can authenticate a transaction and encrypt sensitive payment data in a single round, minimizing latency. In the Internet‑of‑Things (IoT) context, where devices have limited CPU and power budgets, the reduced number of exponentiations and smaller message size make the protocol attractive for secure firmware updates, sensor data reporting, and device‑to‑cloud authentication. The authors also propose using the construction for blockchain transactions that require both confidentiality (e.g., private smart‑contract inputs) and non‑repudiation.

Future work outlined includes: (1) extending the protocol to support multi‑receiver broadcast signcryption by aggregating multiple public keys into the shared secret computation; (2) investigating post‑quantum adaptations, such as replacing the discrete‑logarithm foundation with lattice‑based or code‑based primitives while preserving the integrated sign‑and‑encrypt semantics; and (3) pursuing standardization efforts through IETF or ISO working groups to formalize the protocol specifications, security proofs, and interoperability guidelines.

Overall, the paper makes a solid contribution to the signcryption literature by demonstrating that the Schnorr signature’s simplicity and efficiency can be harnessed to build a more performant and equally secure signcryption scheme, with clear advantages for resource‑constrained environments and real‑world deployment scenarios.